Page 1 of 1

Self-updating web applications

Posted: Thu Feb 26, 2009 7:28 am
by Chris Corbyn
I'm curious if there are any thoughts in "safe" ways to have a web application download new source code and update itself on demand?

I mean, some way for a PHP web application to include a "New Version Available: Click here to update" button under an admin panel?"

Perhaps with some super-thorough security checking and a very acute portion of the site that runs with SuExec to gain increased privileges?

Security aside, this could be all to simple with something like git or subversion used as a host for new versions of the source.

Re: Self-updating web applications

Posted: Thu Feb 26, 2009 8:01 am
by kaisellgren
Chris Corbyn wrote:...if there are any thoughts in "safe" ways...?
Actually what you are asking is that "... if there are any thoughts in secure ways...?", but either way, the answer is Yes.

I have implemented a feature like that and so has WordPress 2.7.

Basically, the admin panel downloads a Zip file from your homepage. Then it checks that the fingerprints matches, the matching fingerprint has to be fetched from your home page with HTTPS. After that, you can be sure the contents are OK. Then you put your site in "maintenance" mode and extract the contents of Zip and possibly update the database. Just make sure that the updater runs securely, by which I mean that no one cannot call it directly - it requires an admin access with sufficient privileges. Plus, make sure you download the Zip into a place that is not viewable/downloadable by anyone else.

Re: Self-updating web applications

Posted: Thu Feb 26, 2009 8:21 am
by VladSun
I know this post is not what you want, but it's still related :)

I've implemented similar feature for my web applications but on client side (heavy ExtJS). There are 3 companies that use the same application and when it's updated via CVS users have to reload the web application in order to work with the new version. So, I've created a small module which executes AJAX requests on every 15 + rand(2) seconds. It checks for:
- if Apache server is online, displays an error message when Apache is down and recheck it every 2 sec.;
- if a new version is available (and requires page reload);
- if user's role has been changed by the administrator (and requires page reload);
- if user is still logged (and requires page reload).

A very nice side effect is that user's session is kept alive regardless of server settings.

Re: Self-updating web applications

Posted: Fri Feb 27, 2009 12:14 am
by alex.barylski
I have implemented a feature like that and so has WordPress 2.7.
The second I read WP in a a security forum I stopped reading. :P

Re: Self-updating web applications

Posted: Fri Feb 27, 2009 7:50 am
by kaisellgren
PCSpectra wrote:
I have implemented a feature like that and so has WordPress 2.7.
The second I read WP in a a security forum I stopped reading. :P
:lol:

You are right... those two do not fit into the same category... WP still lacks in so many security aspects

Re: Self-updating web applications

Posted: Sun Mar 01, 2009 10:40 pm
by Chris Corbyn
Cool. I think my main concern was about running an application where all the PHP files are writable to the apache user. But then again, in theory the code should never have any holes that allow those files to be rewritten. Yet having an entire module in the code whose job it is to write to those files feels scary.

I know that really it's down to making sure the application has enough security constraints to prevent exploits/misuse but it still feels scary. Only a matter of time before a new security exploit in PHP itself is discovered and suddenly your casual hacker ends up being able to rewrite your application's source code. Am I just being over-cautious?

I was thinking about adding a really quite basic tool that tries to do a "git pull" from an origin repository.

Re: Self-updating web applications

Posted: Mon Mar 02, 2009 6:55 am
by kaisellgren
Chris Corbyn wrote:Cool. I think my main concern was about running an application where all the PHP files are writable to the apache user. But then again, in theory the code should never have any holes that allow those files to be rewritten. Yet having an entire module in the code whose job it is to write to those files feels scary.

I know that really it's down to making sure the application has enough security constraints to prevent exploits/misuse but it still feels scary. Only a matter of time before a new security exploit in PHP itself is discovered and suddenly your casual hacker ends up being able to rewrite your application's source code. Am I just being over-cautious?

I was thinking about adding a really quite basic tool that tries to do a "git pull" from an origin repository.
Well, theoretically speaking, you weaken some protections of your system (very little and yet I am talking about protections, not defenses.), but the automatic updater will also add strength into the whole security design, because it can quickly update the site if the vendor has issued a patch.

Think. If someone is able to write random data into your PHP files, then your script just will not work and you get parse errors, but if someone can insert any code he likes into your PHP files, then it means he could create new PHP files as well. So, it does not really matter if the Apache user is not able to write into those files, if the attacker can create new files. Well, you could tune your system so that the Apache user cannot create or write anything into the whole public root, but the vulnerability you have would allow the attacker to write outside the public root, and create a new file, which CHMODs the project PHP files. Having everything non-writable to the Apache user is basically impossible. There are always places like log directories, temps, etc, which are writable by the Apache user. Then the attacker will create new PHP files there and execute them to CHMOD other places to writable.

Seriously, create an automatic updater if you feel so. Do code it carefully and security in mind.